The Pentagon Still Doesn’t Encrypt Its Emails

And Sen. Ron Wyden wants to know why

A year and a half ago, an investigation revealed that several U.S. government agencies weren’t using basic, easy-to-implement, encryption technology — and thus failing...

A year and a half ago, an investigation revealed that several U.S. government agencies weren’t using basic, easy-to-implement, encryption technology — and thus failing to protect their employees’ emails traveling across the internet. At the time the U.S. Army and Navy and even the CIA and FBI didn’t use the widespread email encryption technology known as STARTTLS.

Since then, the FBI, NSA, CIA, the Director of National Intelligence and the Department of Homeland Security have all adopted it. But the Defense Information Systems Agency, or DISA — the Pentagon’s branch that oversees email through the mail.mil service and other technologies — still has not, according to an online testing tool.

One of the most tech-savvy people in Congress is starting to wonder what’s going on. In a letter sent to DISA last week, Sen. Ron Wyden, an Oregon Democrat, slammed the agency for failing to turn STARTTLS on.

“I am concerned that DISA is not taking advantage of a basic, widely used, easily-enabled cybersecurity technology,” Wyden wrote in the letter. “Indeed, until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed so surveillance and potentially compromise by third parties.”

An illustration of how email travels across the internet, without STARTTLS. Image via Riseup.net

“DISA did receive Senator Wyden’s letter and is in the process of providing a formal response back to the senator,” a DISA spokesperson said in an email. “As such, we will not comment further until Senator Wyden is provided that response.”Historically, emails used to travel across the internet completely completely exposed.

That’s why the famed security expert Bruce Schneier once said that email is nothing more than “a postcard that anyone can read along the way.” That has obviously changed in recent years, thanks to the adoption of an old protocol called STARTTLS, which adds an opportunistic layer of web encryption — TLS — over the email protocol SMTP.

STARTTLS encrypts emails that go from email server to email server. If your provider doesn’t support STARTTLS, your email might be encrypted going from your computer to your provider, but it will then travel across the internet in the clear, on its way to the recipient.

An illustration of how email travels across the internet, with STARTTLS. Image — Riseup.net

If both your provider and your recipient’s provider support STARTTLS, then the email is protected along the way.

It’s important to note that STARTTLS is not a panacea against hackers and government spies. But it helps, and the more people use it, the more everyone is protected. That’s why Google in 2015 started flagging email recipients who used a provider that didn’t support STARTTLS with a red open padlock.

“Some in the executive branch continue their misguided campaign to weaken encryption and create back doors into Americans’ personal devices,” Wyden said in a statement sent to Motherboard. “But the fact that so many federal agencies have opted to turn on STARTTLS is proof that encryption plays a vital role in protecting U.S. government data from being stolen by foreign spies and hackers. I hope the military will follow the lead set by DHS, the NSA, and the FBI by promptly enabling STARTTLS.”